Backing Up BitLocker and TPM Recovery Information to AD DS

07/09/2014

21 minutes to read

In this article

Applies To: Windows 7, Windows Server 2008 R2

You can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each BitLocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to. Optionally, you can also save a package containing the actual keys used to encrypt the data as well as the recovery password required to access those keys.

Using AD DS to store BitLocker recovery information

Backing up recovery passwords for a BitLocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In a default BitLocker installation, recovery information is not backed up and local users must be responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, the administrator cannot easily get access to the drive. To mitigate this situation, administrators can configure Group Policy settings to enable backup of BitLocker and TPM recovery information. Before configuring these settings, as a domain administrator you must ensure that the Active Directory schema has the necessary storage locations and that access permissions have been granted to perform the backup.

You can save recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

If you are running Windows Server 2008 R2 or Windows Server 2008, follow the same process described for Windows Server 2003 with SP1 or later, with one exception: you do not need to update the schema as described later in this document.

Important

You should perform the steps described in the following topics in a test or pre-production environment prior to deploying to production environments.

Before you begin

Download and review the following sample scripts, which are used in the following procedures to configure AD DS for backing up BitLocker recovery information:

This script lists or removes the ACEs configured on BitLocker and TPM schema objects for the top-level domain so that you can verify that the expected ACEs have been added appropriately or to remove any ACEs related to BitLocker or the TPM if necessary.

This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.

This script retrieves BitLocker recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up BitLocker recovery information and verify that the information is being backed up correctly.

Storing BitLocker recovery information in AD DS

Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object.

Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object because multiple recovery passwords can be associated with a BitLocker-protected drive and multiple BitLocker-protected drives can be associated with a computer.

The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The form is:

<Object Creation Date and Time><Recovery GUID>

For example:

2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}

The common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInformation. Each ms-FVE-RecoveryInformation object has the following attributes:

ms-FVE-RecoveryPassword

This attribute contains the 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.

ms-FVE-RecoveryGuid

This attribute contains the GUID associated with a BitLocker recovery password. When in BitLocker's operating system drive recovery mode and when attempting to recover a data drive from within the operating system, this GUID is displayed to the user so that the correct recovery password can be located to unlock the drive. This GUID is also included in the name of the recovery object.

ms-FVE-VolumeGuid

This attribute contains the GUID associated with a BitLocker-protected drive.

While the password (stored in ms-FVE-RecoveryGuid) is unique for each recovery password, this drive identifier is unique for each BitLocker-protected drive.

With this key package and the recovery password (stored in ms-FVE-RecoveryPassword), you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier (stored in ms-FVE-VolumeGuid). You must use the BitLocker Recovery Password Viewer to make use of this key package. For more information, see BitLocker Recovery Password Viewer for Active Directory.

If you want to verify that your AD DS (or Active Directory) schema has the required attributes to back up TPM and BitLocker recovery information, follow the instructions in Verify BitLocker and TPM Schema Objects.

Storing TPM recovery information in AD DS

There is only one TPM owner password per computer. When the TPM is initialized or when this password is changed, the hash of the TPM ownership password gets backed up as an attribute of the computer object.

The common name (CN) for the TPM attribute is ms-TPM-OwnerInformation.

Configuring AD DS

Complete the following tasks to configure AD DS to back up BitLocker and TPM recovery information.

Check general prerequisites

Ensure that the following prerequisites are met:

All domain controllers accessible by BitLocker-capable client computers are running Windows Server 2003 with SP1 or SP2. On each domain controller, click Start, right-click My Computer, and then click the General tab.

Important

If the General tab lists Windows Server 2003 but no service pack information, you need to install a service pack to be able to back up BitLocker recovery information to AD DS. For more information, see Windows Server 2003 Service Packs (http://go.microsoft.com/fwlink/?LinkID=43106).
The BitLocker and TPM schema extension marks selected attributes as "confidential" by using the "searchFlags" property. The "confidential" flag is a feature available in Windows Server 2003 with SP1 and later. With this feature, only domain administrators and appropriate delegates have Read access to attributes marked with the confidential flag.
BitLocker does not impose any requirements on domain or forest functional levels. However, domain controllers running operating systems earlier than Windows Server 2003 with SP1 should be removed from mixed-functional-level environments (or upgraded), because backed up BitLocker and TPM information will not be protected on those domain controllers.

You have domain administrator privileges in the target forest or are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Schema Admins groups are examples of accounts that have the appropriate permissions.

You have obtained the following files:

BitLockerTPMSchemaExtension.ldf if you need to extend the Active Directory schema.

Add-TPMSelfWriteACE.vbs to allow the computer account to back up the TPM owner information to AD DS.

Extend the schema (Windows Server 2003 domain controllers only)

The following procedure extends the schema to allow information to be saved in Active Directory.

Important

If your domain controller is running Windows Server 2008 or Windows Server 2008 R2, you do not need to complete this procedure. These operating systems already include the necessary schema extensions.

To extend the Active Directory schema with BitLocker and TPM attributes

Log on with a domain account in the Schema Admins group. This account must be used to extend the schema.

Use the Ldifde command-line tool to extend the schema on the domain controller that serves as the schema operations master. For example, to import the schema extension on a domain named nttest.microsoft.com, log on as a user in the Schema Admins group, and then type the following at a command prompt:

Set the required permissions for backing up TPM password information

The following procedure adds an access control entry (ACE) so that backing up TPM recovery information is possible.

A client computer running Windows 7 can back up BitLocker recovery information under the computer object's default permission. However, a client computer running Windows 7 cannot back up TPM owner information unless this additional ACE is added.

Review the topic Default AD DS Permissions for a Computer Object, in the appendices, to learn about the default AD DS permissions on the computer class object that contains the BitLocker recovery information class and the TPM owner information attribute.

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.

The sample script provided operates under the following assumptions:

You have domain administrator privileges to set permissions for the top-level domain object.

Your target domain is the same as the domain for the user account running the script.

For example, running the script as TESTDOMAIN\admin will extend permissions for TESTDOMAIN. You might need to modify the sample script if you want to set permissions for multiple domains but do not have domain administrator accounts for each of those domains. Find the variable strPathToDomain in the script, and modify it for your target domain. The following is an example:

"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"

Your domain is configured so that permissions inherit from the top-level domain object to targeted computer objects.

Permissions will not go into effect if any container in the hierarchy does not allow inherited permissions from the parent. By default, inheritance of permissions is set by AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permission. You can then verify your configuration as described later in this document, or by clicking the Effective Permissions button while viewing the properties of a computer object, to check that SELF can write the msTPM-OwnerInformation attribute.

Configure Group Policy to enable backup of BitLocker and TPM recovery information in AD DS

These instructions are for configuring the local policy on a client computer running Windows 7. In a production environment, you would likely edit a Group Policy object (GPO) that applies to computers in the domain instead.

We recommend that you keep the default options when you enable each Group Policy setting. Be sure to read the Explain text before making any changes to understand the impact of the different options.

There are two separate procedures in this section: one for configuring the policy setting that is applied to computers running Windows Vista or Windows Server 2008 and the other for configuring the policy setting that is applied computers running Windows 7 or Windows Server 2008 R2.

To enable the local policy settings to back up BitLocker and TPM recovery information to AD DS from computers running Windows Vista or Windows Server 2008

Log on to the computer with an account that has administrative credentials.

Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER to open the Local Group Policy Editor.

Click Enabled, and then configure the following settings as appropriate for your environment:

Select Require BitLocker backup to AD DS if you want to prevent users from enabling BitLocker on computers that are not currently able to connect to a domain controller. If this setting is not selected, BitLocker will attempt to store recovery information in AD DS, but if it fails for any reason BitLocker will still be enabled and the recovery information will not be present in AD DS for that drive.

In Select BitLocker recovery information to store, select either Recovery passwords and key packages or Recovery passwords only. Key packages are used with the Repair-bde command-line tool to perform specialized recovery when the disk is damaged or corrupted. For more information, see the Repair-bde.exe Parameter Reference.

The Require TPM back to AD DS check box is selected by default. When this option is selected, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup succeeds.

To enable the local policy settings to back up BitLocker and TPM recovery information to AD DS from computers running Windows 7 or Windows Server 2008 R2

Log on to the computer with an account that has administrative credentials.

Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER to open the Local Group Policy Editor.

In the details pane, double-click the drive type subfolder—either Operating System Drive, Fixed Data Drive, or Removable Data Drive—for which you want to store recovery information in AD DS. Each drive type may have recovery information stored. The remainder of this procedure will use Fixed Data Drive as the example, but each drive type follows the same configuration steps and includes the same setting options.

In the details pane, double-click Choose how BitLocker-protected fixed drives can be recovered.

Click Enabled, and then configure the following settings as appropriate for your environment:

In Select BitLocker recovery information to store, select either Recovery passwords and key packages or Recovery passwords only. Key packages are used with the Repair-bde command-line tool to perform specialized recovery when the disk is damaged or corrupted. For more information, see the Repair-bde.exe Parameter Reference.

Select the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When this setting is selected, a recovery password is automatically generated.

The Require TPM back to AD DS check box is selected by default. When this option is selected, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup succeeds.

Testing your Active Directory configuration

By joining the Windows 7–based client computers to the domain that you just configured and enabling BitLocker, you can test whether BitLocker and TPM recovery information is backed up to AD DS successfully.

All user interfaces and programming interfaces within BitLocker and TPM Management features will adhere to your configured Group Policy settings. When these settings are enabled, recovery information (such as recovery passwords) will be automatically backed up to AD DS whenever this information is created and changed.

If you select the option to require backup, initializing the TPM or enabling BitLocker through any method is blocked until the backup succeeds. In that case, no one will be allowed to turn on BitLocker or initialize the TPM unless the domain controller is configured correctly, the client computer has network connectivity to the domain controller, and no other errors occur during the backup process.

Testing the backup with Windows 7

You should use a client computer running Windows 7 to test the backup process.

BitLocker recovery information is backed up when you:

Create a recovery password during BitLocker setup, using the wizard available through the Control Panel.

Create a recovery password after the disk has already been encrypted, using the Manage-bde.exe command-line tool.

TPM recovery information is backed up when you:

Set the TPM owner password during TPM initialization.

Change the TPM owner password.

Sample test scenario with Windows 7

This sample test scenario illustrates how to verify your Active Directory configuration by using Windows 7. It uses the BitLocker Deployment Sample Scripts that are available to download to assist in the test process.

Important

You should perform additional tests as required to verify that everything is working correctly in your environment; do not assume that this scenario will completely test all aspects of your configuration.

Test scenarios can also vary based on your organization's policies. For example, in organizations where users are the Creator Owner of computer objects that they join to the domain, it might be possible for these users to read the TPM owner information for their own computer objects.

To perform the sample test

Log on to a domain controller as a domain administrator.

Copy the sample script files to a location accessible by both the domain controller and the client computers.

Open a Command Prompt window, and change the default location to the location of the sample script files.

At the command prompt, type the following:

cscript List-ACEs.vbs

Expected result: Assuming that the default Add-TPMSelfWriteACE.vbs was used and other deprecated ACEs have been removed, there is only one ACE related to BitLocker and the TPM. The following is an example of the output:

Accessing

> AceFlags: 10

> AceType: 5

> Flags: 3

> AccessMask: 32

> ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}

> InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}

> Trustee: NT AUTHORITY\SELF

1 ACE(s) found in DC=nttest,DC=microsoft,DC=com related to BitLocker and TPM

Log on as a local administrator (non-domain administrator) to a Windows 7–based client computer that is a member of the domain.

Click Start, type tpm.msc in the Search programs and files box, and then press ENTER.

Click either the Initialize TPM or Change Owner Password link.

Set an owner password, and select the option to back up the information by printing or saving to a file as needed.

Expected result: The action succeeds without an error message.

Using this same account, open an elevated Command Prompt window, and then change to the folder in which you have saved a copy of the sample scripts provided with this document.

Note

To open an elevated Command Prompt window, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

At the command prompt, type the following:

cscript Get-TPMOwnerInfo.vbs

Expected result: The error "Active Directory: The directory property cannot be found in the cache" appears. No information is displayed because a non-domain administrator should not be able to read the ms-TPM-OwnerInformation attribute.

Note

If users are the Creator Owner of computer objects that they join to the domain, it might be possible for these users to read the TPM owner information for their own computer objects.

Log on as a domain administrator on the same client computer.

Using this domain administrator account, open an elevated Command Prompt window, and change to the directory in which you have saved a copy of the sample scripts provided with this document.

At the command prompt, type the following:

cscript Get-TPMOwnerInfo.vbs

Expected result: A string that is the hash of the password you created earlier is displayed.

As a domain administrator, you should have Read access to the ms-TPM-OwnerInformation attribute.

At the elevated command prompt, type the following to turn on BitLocker and create a recovery password:

manage-bde -on C: -RecoveryPassword

Expected result: The action succeeds without an error message.

After the drive has completed encryption, at the command prompt, type the following to back up the recovery password to AD DS, replacing recoveryGUID with the full recovery key identification GUID of the recovery password you are storing in AD DS:

manage-bde -protectors -adbackup C: -id{recoveryGUID}

Note

The full recovery key identification GUID is printed when you print the BitLocker recovery key.

At the command prompt, type the following to read all BitLocker child objects of the client computer's Active Directory object:

cscript Get-BitLockerRecoveryInfo.vbs

Expected result: One or more recovery passwords is displayed, including the one created in the previous step.

A non-domain administrator will not be able to read these passwords.

Delete any created BitLocker recovery child objects by using Active Directory tools such as the Active Directory Users and Computers snap-in. By default, client computers running Windows 7 do not have permissions to delete BitLocker recovery passwords.

Troubleshooting common problems with AD DS backup

The following section discusses some potential problems and their solutions.

Access permission problems

If you are able to read backed up BitLocker and TPM recovery information by using a non–domain administrator account, check that you are running supported installations of Windows Server on all the domain controllers in your network.

Important

Domain controllers must be running Windows Server 2003 SP1 or SP2 to support backing up BitLocker and TPM recovery information.

Script errors

You might receive an error message when you run a script. The following sections explain the causes of and solutions for the most frequent script errors.

Get-TPMOwnerInfo.vbs

When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory: The directory property cannot be found in the cache," it means that you are logged on with an account that does not have permission to read the TPM owner information attribute object in AD DS.

General

If an error appears stating "The specified domain either does not exist or could not be contacted," ensure that the computer is joined to the domain and that network connectivity is available.

If an error appears stating "There is no such object on the server," check that any computer specified by name on the command line is currently connected to the network.

If an error is accompanied by the line number in which the error occurred, consult the script source code to assist in troubleshooting the issue.